Privately owned companies, although not bound by the requirements of the Sarbanes-Oxley Act (SOX), are feeling the effects of the law in specific areas of their businesses, as well as the impact of widespread public commitment to stronger internal controls that the law has helped to create. In response to these pressures, more closely held companies are demanding additional internal audits and internal auditors, as well as providing new business opportunities for external auditors.

The Institute of Internal Auditors’ (IIA) reports the the number of certified internal auditors (CIA) has grown from 40,212 in 2002 to 59,300 in response to the demand for Sarbanes-related services. The IIA's membership includes approximately 125,000 members in 160 countries around the world. Sarbanes-Oxley has stimulated support for stronger internal controls among public and private companies, according to Holly Daniels, a manager in the professional practices division of IIA, and auditors are adding certifications to strengthen their Sarbanes qualifications.

CH2M, a privately held company in Douglas County, Colorado, has had to hire several new full-time staffers and another outside auditing firm to gain compliance with Sarbanes-Oxley because it runs an internal stock market for trading its own shares among its 18,000 employees, the Denver Post reports. “We knew we were going to be required to comply with Sarbanes-Oxley,” said Catherine Santee, senior vice president for finance. “What was unanticipated was how much it would cost to do that.”

Other Colorado companies are embracing parts of Sarbanes for different reasons. Luis Solis, chief executive of GroupSystems, a private software company, told the Post, “Every venture firm has to worry about Sarbanes-Oxley-type stuff because at some point someone’s going to buy you or you are going to go public. You had better be pretty close to Sarbanes Oxley compliant at that time; otherwise it would be virtually impossible to go public . . or a buyer would have real trouble acquiring the business.”

MediaNews Group, owner of the Denver Post, has had to hire additional internal audit staff and create an internal audit department in order to meet some requirements of Sarbanes-Oxley. Although the company is private, it has public debt and files with the Securities and Exchange Commission (SEC), the Post says.

Private companies chose to adopt some or most of the requirements of Sarbanes-Oxley, according to the Wall Street Journal, because their executives believe stronger internal controls will improve efficiency, and directors see its benefits on public companies. Companies may feel pressure from customers or suppliers who are public companies. “The stakes have gotten higher in public companies. Some of that extends to the network of suppliers,” James Mattie, national-assurance leader for PricewaterhouseCoopers’ (PwC) new Private Company Services practice, told the Journal.

Printing-press manufacturer Goss International Corp.’s chief financial officer Joe Gaynor plans to hire PwC for a “dry-run” audit to identify potential weaknesses in the privately held company. Mr. Gaynor thinks Goss could benefit from standardizing its policies and procedures, according to the Journal. Eight business units operate independently and Gaynor worries about gaps in human-resource policies.

Auditors of private companies are also encouraging their clients to hire an additional external auditor to value their assets after an acquisition. “Before [Sarbanes Oxley] a lot of them were just doing it internally,” said Jim Connors, managing partner of Quist Valuation in Broomfield, Colorado, the Denver Post reports. Since the law passed, auditors “have been insisting that they find a third-party valuation firm.”

Public companies complain that the fees associated with a Sarbanes-Oxley audit by external auditors are burdensome, a fact that makes many privately held companies wary of the process. In Denver the accounting firm Fortner, Bayens, Levkulich and Co., has chosen to stop auditing public companies because of the fees it must pay to the Public Company Accounting Oversight Board (PCAOB), which it then must pass on to clients, Charlie Garrison, partner, told the Denver Post. Garrison said his firm didn’t want to deal with the PCAOB.

As the Sarbanes process in public companies has identified control problems, however, it continues to bring opportunities for new business improvements that simplify compliance. This week Sun Microsystems, Inc. announced Sun Java System Identity Manager 7.0, its enhanced identity management software. The software is designed to analyze identity control violations in systems, notify compliance officers of violations and address policy exceptions. Sun’s announcement says that the software enables customers to bridge the gap between IT security and internal and external auditors responsible for compliance with regulations such as Sarbanes-Oxley.